Re: mlock as non-root: use rlimits

[Chris Wright]

* Arjan van de Ven (arjanv@xxxxxxxxxx) wrote:
> non-root" issue, which recently cropped up again in relation to hugetlbfs
> and Oracle. The proposed solution comes down to using the MEMLOCK rlimit,
> which previously was used to restrict how much memory *root* processes can
> mlock as limit for non-root processes, and let root (well CAP_IPC_LOCK
> processes) mlock to infinity (which was the rlimit default anyway).
> The default behavior of the kernel doesn't change with this patch, but with
> this patch the sysadmin can use the standard rlimit mechanism (eg via PAM
> usually) to allow specific users to mlock memory, for example the oracle
> database user account.
>                                                                               
> Comments?

Hi Arjan, how is this different from the last time this patch was posted?

http://marc.theaimsgroup.com/?l=linux-kernel&m=108087017610947&w=2

The hugetlbfs and SHM_LOCK bits don't work well with rlimits.  For
example, it's trivial to corrupt the locked_vm count with a SHM_LOCK
segment.  I like this, but I think it only works with mlock().  Did I
miss something?

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/